This is an automated email from the ASF dual-hosted git repository.
wave pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tooling-trusted-releases.git
The following commit(s) were added to refs/heads/main by this push:
new c80e8e81 Adding docs about public API endpoints; fixes #660 (#849)
c80e8e81 is described below
commit c80e8e81a776279555e65cb4144759b14e8dd0d9
Author: Andrew Musselman <[email protected]>
AuthorDate: Mon Mar 9 18:19:49 2026 -0700
Adding docs about public API endpoints; fixes #660 (#849)
---
atr/docs/authorization-security.md | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/atr/docs/authorization-security.md
b/atr/docs/authorization-security.md
index dbcaf892..bf50831f 100644
--- a/atr/docs/authorization-security.md
+++ b/atr/docs/authorization-security.md
@@ -72,6 +72,14 @@ Release operations have the following access requirements:
**View release information** (public pages, download links):
* Allowed for: Everyone, including unauthenticated users
+* This includes the following API endpoints, which are intentionally
unauthenticated because they serve the same public information available on the
website:
+ * `/api/checks/list/<project>/<version>` — check results for a release
+ * `/api/checks/ongoing/<project>/<version>` — count of ongoing checks
+ * `/api/release/paths/<project>/<version>` — file paths in a release
+ * `/api/release/revisions/<project>/<version>` — revision history of a
release
+ * `/api/ssh-keys/list/<asf_uid>` — enumerates SSH key fingerprints for any
user
+ * `/api/keys/user/<asf_uid>` — enumerates OpenPGP keys for any user
+* Rationale: ASF release artifacts, their check results, and their metadata
are public by design. The release process is transparent and these endpoints
support tooling that consumes public release data.
**Start a new release**:
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
